Microsoft Windows Registry Guide, Second Edition
Auditing Registry Access
Auditing registry access is a great way to track down registry settings, and it's one of the methods that I discuss in Chapter 10, “Finding Registry Settings.” It's also a reasonable way to monitor access to sensitive settings. The problem with auditing the registry is that you must either get very specific about which key you're auditing or pay a severe performance penalty by auditing too much of the registry. It's a fine line between getting the information you need and grinding the computer to a halt.
Auditing a key is a three-step process. First you must enable Audit Policy. You can do that on the network using Group Policy, but that seems silly considering the scope of the performance impact. If you're using auditing as a troubleshooting tool or to track down a setting, turn on Audit Policy locally. In Control Panel, in Classic view, open the Administrative Tools folder, and launch Local Security Policy. You won't find Local Security Policy on a domain controller. In the left pane, under Local Policies, click Audit Policy. In the right pane, double-click Audit Object Access, and then select the Success and Failure check boxes. After you've enabled Audit Policy, use Regedit to audit individual keys, as follows:
In Regedit, click the key that you want to audit.
On the Edit menu, click Permissions; then click Advanced.
On the Auditing tab, shown in Figure 8-3, click Add.
In the Select Users, Computers, Or Groups dialog box, click Locations, and then click the computer, the domain, or the organizational unit in which you want to look for the user or the group that you want to audit.
In the Enter The Object Names To Select box, type the name of the user or the group that you want to add to the key's audit list, and then click OK.
Figure 8-3 Audit keys sparingly because doing so can significantly impact performance.
In the Auditing Entry For Name dialog box, in the Access list, select both the Successful and Failed check boxes next to the activities for which you want to audit successful and failed attempts. These correspond to the permissions you learned about in the section “Assigning Special Permissions” earlier in this chapter:
Full Control
Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Create Link
Delete
Write DAC
Write Owner
Read Control
After enabling Audit Policy and auditing specific keys, check the results using Event Viewer. To open Event Viewer, in Control Panel, in Classic view, open the Administrative Tools folder, and launch Event Viewer. In Event Viewer's left pane, click Security. You see each entry in the right pane, and the most recent entries are at the top of the list. Double-click any entry to see more details. The Event Properties dialog box tells you what type of access Windows detected, the object type, and the process that accessed the key or the value. Chapter 10, “Finding Registry Settings,” shows you how to use this information to figure out where Windows or a program stores certain settings in the registry.